---------- Forwarded message ----------
From: security curmudgeon <jericho at attrition.org>
To: sesser at hardened-php.net
Date: Fri, 30 Dec 2005 18:22:19 -0500 (EST)
Subject: TinyMCE advisory question
Hey Stefan,
In the advisory, the solution says to download the latest version. The vendor
page shows 2.0.1 as the latest, but the changelog shows it fixes one issue and
is dated almost a month before your disclosure to the vendor:
http://tinymce.moxiecode.com/tinymce/changelog
Version 2.0.1 (2005-12-02)
Fixed critical bug in some MSIE versions when submiting content.
http://www.hardened-php.net/advisory_262005.111.html
Disclosure Timeline:
27. December 2005 - Disclosed vulnerability to vendor
Can you confirm 2.0.1 is the version you refer to? Or is the changelog entry
above a different issue?
Thanks!
Brian
OSVDB.org